23 February 2006

Integrity of E-balloting System Still in Doubt

Los Angeles Times, Feb. 23, 2006

[...] As the last two presidential elections demonstrate, ballot results are of profound interest to everybody — including determined hackers with partisan agendas. Therefore, it's proper to demand of the high-tech machines replacing the paper ballots and punch cards of yore that they be technologically bulletproof. The Diebold systems certified by McPherson — an optical scanner that reads hand-marked ballots and a touch screen that totes up votes directly — fall well short of that standard.

How do we know this? It's the conclusion of a panel of computer security experts McPherson commissioned specifically to study Diebold's software. Three days after they issued their report Feb. 14, McPherson gave Diebold thumbs up, noting that the panel regarded the software problems it found as "manageable" and had said the risks could be "mitigated" if election officials took care.

But the experts were plainly troubled by flaws in Diebold's systems. The panel, which included David Jefferson of Lawrence Livermore National Laboratory and David Wagner of Berkeley, observed that the removable memory cards used by Diebold were vulnerable to undetectable acts of tampering.

The panel found 16 software bugs that could cede "complete control" of the system to hackers who might then "change vote totals, modify reports, change the names of candidates, change the races being voted on," and even crash the machines, bringing an election to a halt. Hackers wouldn't need to know passwords or cryptographic keys, or have access to any other part of the system, to do their dirty work. Voters, candidates and election monitors wouldn't necessarily know they'd been rooked.

The bugs lead some computer professionals to believe that Diebold's software designers never treated security as a high priority. "It's like they were making a mechanical device, and never heard of computer security," says David Dill, an expert in electronic voting at Stanford University who wasn't on the panel.

The bugs pale next to another discovery by the panel. This is the presence of a cryptographic key written into the source code, or basic software, of every Diebold touch-screen machine in the country. The researchers called this blunder tantamount to "a bank using the same PIN code for every ATM card they issued; if this PIN code ever became known, the exposure could be tremendous."

Here's the punch line: The Diebold key became known in 2003, when it was published by researchers at Johns Hopkins and Rice universities. It can be found today via a Google search. What's worse, the key was first identified in 1997 by a University of Iowa researcher, who promptly warned the manufacturer of the flaw, apparently to no avail.

Blog Archive

Government Accountability Report

While electronic voting systems hold promise for a more accurate and efficient election process, numerous entities have raised concerns about their security and reliability, citing instances of weak security controls, system design flaws, inadequate system version control, inadequate security testing, incorrect system configuration, poor security management, and vague or incomplete voting system standards, among other issues. For example, studies found (1) some electronic voting systems did not encrypt cast ballots or system audit logs, and it was possible to alter both without being detected; (2) it was possible to alter the files that define how a ballot looks and works so that the votes for one candidate could be recorded for a different candidate; and (3) vendors installed uncertified versions of voting system software at the local level. It is important to note that many of the reported concerns were drawn from specific system makes and models or from a specific jurisdictions election, and that there is a lack of consensus among election officials and other experts on the pervasiveness of the concerns. Nevertheless, some of these concerns were reported to have caused local problems in federal elections resulting in the loss or miscount of votes and therefore merit attention.

'In Ohio" - Free MP3

Madog Pavanelli & the Virtual Country Boys new song, "In Ohio"

3 T I M E S I N O H I O

Ohio's Presidential Election was a fraud in 2000 and 2004. Care to go for three? They can. They control the elections. That'll be three times Ohio handed over the country. What about the current insane financial devastation? With that, George Bush can cross the last task off his "to screwup" list. Congress and the major candidates don't even want to get it. Wall street most surely gets it - and keeps on getting it. Meanwhile people are losing their homes, jobs and savings. We need to hold them all accountable and stop all this. In Ohio, the poster child for stolen elections... does Main Street really care??